[squid-users] Default host_verify_strict behavior appears to have changed as of 3.5.25
steveno
soakley at expedia.com
Wed Feb 7 18:03:44 UTC 2018
I was using squid 3.5.20 I encountered an issue running out of File
Descriptors on Centos7, the scebario was that sockets would be abandoned in
a "CLOSE_WAIT" state forever until the server ran out of FD's.
Searching I found the following BUG.
https://bugs.squid-cache.org/show_bug.cgi?id=4508
This is listed as being a fix at 3.5.25, so I installed that version, once
installed the FD problem seemed to be resolved, but now there is another
issue "Default Value: host_verify_strict off" seems to be lost, in my access
logs I get an number of entries:
2018-02-07 17:10:42 0 10.x.x.x TAG_NONE/409 3941 CONNECT
sqs.us-west-2.amazonaws.com:443 sqs.us-west-2.amazonaws.com HIER_NONE/-
text/html
Cache logs I get:
2018/02/07 17:57:45 kid1| SECURITY ALERT: on URL:
sqs.us-west-2.amazonaws.com:443
And the clients making those requests tend to see dropped connections with a
"SSL: UNKNOWN_PROTOCOL" error.
I tried setting the value "host_verify_strict off" but it did not appear to
have any effect.
It looks like this fix for the File Descriptors has broken something else.
Thanks.
Steven Oakley.
--
Sent from: http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-Users-f1019091.html
More information about the squid-users
mailing list